Counting on free travel this summer season? Criminals want your rewards points
It's the official start of summer travel season which means -- take a moment to re-evaluate the cybersecurity of your rewards programs or a criminal could wreck your vacation plans.
Imagine spending all year meticulously booking hotels and flights and piling up credit card purchases designed to maximize rewards points -- and then logging in to find all those points have been stolen by a hacker. And you are unable to book that precious two-week family trip because a criminal has raided your rewards account.
I don't have data showing there's a rise in reward account hacking lately, but I've heard and read enough horror stories that I believe it's time to issue a fresh warning to consumers: criminals are after those hard-earned points, so you should defend them like any bank account.
Over at The Perfect Scam podcast I host for AARP, I spoke recently to a victim named Jody who went through a months-long ordeal after a points hack. Her family's account was drained, her credit card restored the points, and it happened again. Hackers ordered gift cards with the points, purchased items from retail stores....even bought Cheetos at one point, probably to taunt her. For a while, the family's 100,000-point balance was reduced to ... zero.
"It was so frustrating because we had been trying to stop this fraud for several weeks now, and it seemed like no matter how many conversations we had with the bank's fraud department, they were still figuring out how to access our account," she told me.
Jody ultimately got all her points back, thanks to meticulous record-keeping, but it was a deeply annoying episode. And it did threaten the family vacation.
A quick Google search shows plenty of other people going through the same thing. One Reddit user claims a criminal stole 372,000 points. In response, another wrote "Same thing happened to me .. two times within past year."
So what's going on? It's important to realize that in many cases, rewards programs are administered by third-party companies. That'll be fairly obvious when you go to redeem points and find yourself on an entirely different website. This third-party firm may or may not use the same level of backend security as your bank. And you may or may not use the same strong password. For the podcast, I interviewed cybersecurity expert Dan Lohrmann who told me that many rewards administrators don't enforce two-factor authentication. It makes sense that criminals would target these outside firms.
When possible, you should implement two-factor protections on all rewards accounts. Preferably with a token-based authentication tool; but at least force text-message approvals for logins.
Also, I believe criminals attack points programs because some consumers might not be as diligent about checking up on them. While you might notice a fraudulent purchase on your credit card or a fraudulent withdrawal from your debit card almost immediately, you might not be quite so vigilant at checking your points balance. You might not even have a sense of what it should be on any given day. I'm not one to give you more homework, but it certainly makes sense to check your balance every time you pay your bill or book a trip.
Jody didn't lose any money, and it is my sense that other victims are getting "refunds" too. But that doesn't mean point theft is a victimless crime. Of course, theft hurts us all, even if the banks have to cover the initial cost. But Jody and her husband wasted a lot of time and mental energy dealing with this incident. Also, had it been timed differently, she might have missed out on booking windows for this year's family trip.
So even if you trust your bank to do right by you in a situation like this, you don't want to be a points hack victim. Take a few moments now to make sure your valuable points are protected.
You can listen to this episode of The Perfect Scam by clicking the play button below, or by clicking here, or by subscribing to The Perfect Scam wherever you get podcasts. Or, if you don't listen to podcasts, a partial transcript is below.
------Partial transcript---
[00:07:29] Jody: Right, so in December, my husband just happened to check the email account that he had set up to get notifications when our points had been redeemed and noticed that there was a redemption that he had not authorized to purchase an Apple gift card using the points.
[00:07:52] Bob: So he gets a warning, somebody's used, somebody's gotten a gift card from, with your points.
[00:07:57] Jody: Right. So not only can you use these points for travel, but you can also redeem them for gift cards online, which is not something we ever do personally. So he immediately called Chase's fraud department, after a lengthy conversation with them they assigned him a verbal password to his account. Someone had enough of his personal information that they were able to call Chase and impersonate my husband and gain access to the account.
[00:08:30] Bob: The criminals are able to cash in a few thousand points and get a gift card for a couple hundred dollars, but it's not that big a deal. Chase immediately restores the points and the fraud department issues them a new card, so Jody hopes that'll be the end of it. It is not.
[00:08:48] Jody: Before we even received the new credit card, my husband received a text saying that there is a purchase at Target, and this was an out-of-state Target, for a high dollar amount. Did you authorize this purchase? And so he was thinking this was more fraud, and when the text asked him to give him the code that you're going to receive on your text to verify your identity so that we can cancel this transaction, he went ahead and gave them the code.
[00:09:26] Bob: Hmm. And this was a straight credit card transactions, right?
[0009:30] Jody: Right.
[00:09:30] Bob: It wasn't a points thing, okay, yeah.
[00:09:33] Jody: So then he not, shortly after that happened, he noticed that there was another redemption for more electronic gift cards out of the account with our points.
[00:09:44] Bob: Oh boy. So you haven't even gotten a new card yet, and now you realize that they're raiding your points.
[00:09:49] Jody: Exactly. So he called Chase fraud again, learned to his dismay that the text he responded to was very cleverly designed text, almost identical to other text messages he had received in the past from Chase, but definitely sent to him by a criminal, not Chase Bank.
[00:10:13] Bob: They were bypassing that two-factor authentication this way, right?
[00:10:16] Jody: Exactly, so.
[00:10:18] Bob: Oh no.
[00:10:19] Bob: The criminals needed to overcome the bank's two-factor authentication challenge, so they did that with a text message pretending to be the bank. Still, so far, the criminals have stolen a relatively small number of points and made a fraud purchase. Another call to the bank fixes that, but...
[00:10:37] Jody: So after the second bout of theft, we changed the credit card yet again, and thought it was resolved, and then we're not sure how they accessed the account the third time, but they went in and at that point cleaned out the points and it was over a thun--, hundred thousand points.
[00:10:57] Bob: Oh my God! Wow! They took everything.
[00:11:01] Jody: They took everything.
[00:11:03] Bob: Another new credit card doesn't fix the problem. And this time, the criminals manage to steal every last travel point in the family account.
[00:11:13] Bob: Just, for instance, what can you do with100,000 points?
[00:11:16] Jody: So, I mean that would have purchased plane tickets for our entire family, or those points could have been converted to hotel points and we could have stayed for a week at a hotel.
[00:11:31] Bob: So they didn't just steal a bunch of points, they stole a whole family vacation from you.
[00:11:36] Jody: Exactly.
[00:11:37] Bob: Wow. Okay, so what does it feel like to see a zero balance?
[00:11:41] Jody: Oh it was so frustrating because we had been trying to stop this fraud for several weeks now, and it seemed like no matter how many conversations we had with the bank's fraud department, they were still figuring out how to access our account.
[00:11:57] Bob: Okay, so now I mean where do you go from zero?
[00:12:01] Jody: So we were very fortunate that the bank agreed to reinstate all the points, but also very paranoid if they would be secure once we got the points restored to our account balance.
[00:12:16] Bob: Now why would you be paranoid?
[00:12:18] Jody: I can't imagine why, Bob. (chuckles)
[00:12:20] Bob: God, I can't imagine, yeah, so, okay so and they give you what a, a new credit card? I mean...
[00:12:26] Jody: Yeah, so we so we were on our fourth Chase credit card...
[00:12:29] Bob: So the banks assure them with this fourth credit card that everything is fine. But Jody and her husband decide to take an extra step to make sure their account is safe.
[00:12:41] Jody: When my husband received the points back, he made the decision to transfer the points over to my Chase account because he felt like it would be most, more secure and at that point, they had not accessed my account...
[00:12:57] Bob: Makes a ton of sense to me, but also, at this point I'm thinking, wow, this is a lot of trouble.
[00:13:02] Jody: It was, and we spent hours on the phone with Chase.
[00:13:07] Bob: Were you confident, 'cause also my brain goes right away to somewhere along the line here you're going to lose some points, right? Now were you confident you got everything back?
[00:13:14] Jody: We were lucky that we got everything back, also my husband was keeping very careful track of all the points and the redemptions at this time to make sure we did get everything back. And I wish I could tell you, Bob, that that was the end of the problems we had, but it wasn't.
[00:13:31] Bob: A few weeks go by, and then the criminals up the stakes.
[00:13:36] Jody: So things quiet down, and then in February, I received a phone call from the head of my company's IT department asking if I was trying to change my company email account password. I told him, no. He was pretty confident this must be some kind of fraud, just letting you know I did not approve the request, and so I didn't really think anything of it because in my role, you know, we deal with fraud in my job as well. I really thought trying to change my work email address might rela--, be related to someone trying to access direct deposit information for employees.
[00:14:23] Bob: Right, God, okay. So that's, so now the problem is much, much bigger.
[00:14:28] Bob: And then, the criminals make their big move.
[00:14:31] Jody: So I remember I was getting ready to take my son to an after-school appointment. As we are getting ready to walk out the door, I get this frantic call from my husband saying, "You must call Chase fraud department now before they close. Someone has gone into your account now and they're trying to redeem the points for a cash advance."
[00:15:00] Bob: Oh no.
[00:15:01] Jody: So they, I believe it was for $20,000, taking all the points out of the account.
[00:15:08] Bob: But, but somebody was trying to steal $20,000 essentially from you?
[00:15:11] Jody: Yes, for the value of our points.
[00:15:13] Bob: Oh my God.
[00:15:15] Bob: So Jody races to get Chase on the phone to prevent what could be a $20,000 theft.
[00:15:25] Jody: Oh, it was so stressful, Bob. And I remember my husband telling me just cancel our son's appointment, but I didn't want to. So I'm talking to Chase on the Bluetooth in my car as I'm driving him over there. Because again, the fraud department was going to close within an hour. If I didn't get a hold of them then, I would not be able to speak to anyone the following day.
[00:15:51] Bob: Oh God. And again, they know what they're doing, they know the timing that they choose for these things, right?
[00:15:56] Jody: Um-hmm. So we were very fortunate that Chase was able to stop the money redemption, since I guess that goes through more checks and balances than redeeming the gift cards.
[00:16:12] Bob: But as that transaction is blocked, the criminals don't give up.
[00:16:17] Jody: So they also redeemed a couple more electronic gift cards that we had to request the points back again as well as now making sure my account was also set up with the highest level of Chase security.
[00:16:34] Bob: So they, they couldn't get the big one from you but they still got a couple of other smaller transactions.
[00:16:40] Jody: Yep, they got a couple of other smaller transactions which again Chase doesn't have any way to redeem that money back as far as we know once it's already been taken off the gift card.
[00:17:22] Bob: And then, Jody assumes, the criminals got angry at her and decide to have a little fun at her family's expense.
[00:17:01] Jody: Then, on the same day, I think maybe this was retaliation because we stopped the cash transaction; we also got a fraud alert on a Delta American Express card completely unrelated to Chase Bank that someone was trying to purchase $11,000 of jewelry from a store in Pittsburgh, Pennsylvania using our account.
[00:17:27] Bob: Wow. Now you're thinking whoever this is, they have the run of my whole personal life, right?
[00:17:32] Jody: Exactly. I was worried about what don't they have access to.
[00:17:37] Bob: Yeah, of course.
[00:17:39] Jody: And they hacked our Amazon.com account.
[00:17:42] Bob: Oh my God! What did they do with that?
[00:17:43] Jody: So um, again, we were able to get the money back on our credit card, but they purchased a laptop, and also the funny part was they purchased a whole bunch of Cheetos. So I guess all the crime was making them hungry.
[00:18:03] Bob: I guess that's funny, although it's not really funny, is it?
[00:18:05] Jody: No.
[00:18:05] Bob: Oh my God. Ah, but, but also it sort of speaks to kind of how sophomoric this group must be, right, they're, yeah, I mean they, I think you're right. I think out of spite they tried this Pittsburgh thing, and then they, just to show you how funny they were, they bought Cheetos.
[00:18:23] Jody: Yes.
[00:18:24] Bob: So Jody has a lot more homework to do that night. And after all this back and forth with the fraud department, she has some opinions about what the criminals were really up to.
[00:18:35] Bob: Do, do you have a sense that it's easier for criminals to steal points than it is for them to make fraudulent credit card purchases?
[00:18:42] Jody: Absolutely. We did not know that much about points getting stolen until we went through this experience, but...
[00:18:50] Bob: Now you're an expert.
[00:18:51] Jody: Yeah, now I'm an expert, and we've learned that first of all, the criminals like these scams because people are not as vigilant about checking their credit card points as they may be about checking their actual credit card purchases.
[00:19:05] Bob: That makes sense to me. You know I think most people think of the points as a sort of bonus that's kind of sitting out there, you know, it's a, a nice surprise when you are thinking about using them once a year or something. So they can rely on consumers not being as vigilant.
[00:19:20] Jody: I do agree. And also, this fraud was coming from a third-party online vendor that Chase partners with, that allows their customers to purchase gift cards if they want to do that with their points. There were several instances where they did access our account, including when my points were stolen, where they never changed the password on our account or the email. So to this day, we do not know how they accessed the account a couple of the occasions where they got back into the account and fraudulently redeemed the points, and so I think this is a big issue for these banks and airlines and hotel chains that have these programs to provide better security for their customers.
[00:20:11] Bob: Jody mentioned several times that these hacks seem to happen at night which she thought was deliberate because they might not be detected until the following day, and also this whole string of incidents began during the busy holiday season.
[00:20:26] Jody: Yeah, so this is taking place in December still, and so when my husband called back the second time, now he was told it would take four to six weeks to get the points back, um, and apparently Chase Bank was being inundated with similar fraud from multiple customer accounts.
[00:20:50] Bob: Okay, well that doesn't sound good.
[00:20:51] Jody: No, um, and also, I think the holidays seem to be a prime time for scams.